The clock is ticking. It’s been a long time coming, but the European Parliament’s passing of the EU General Data Protection Regulation finally gives insurers a deadline: 25 May 2018. From then, breaches of the new requirements will mean penalties up to four per cent of global turnover or €20 million – whichever is higher. That compares with a maximum of just £500,000 from the Information Commissioners Office in the UK today.

By Ruaraidh Thomas, Managing Director at DST

This gives insurers almost two years to review and adapt their systems and processes. However, in considering this, businesses should think about not just the time they have, but the distance left to travel. For many this is considerable.

A survey by data governance specialist DataIQ for DST published in May supports this. It suggests many businesses poorly understand customers’ concerns about privacy. To take one example, only 15% of businesses surveyed tracked permissions (consumers’ consent to use their data) company-wide. Yet a fifth (21%) of consumers believe permissions should be valid for just six months; more than a quarter (28%) want to be asked for permission on every contact; and a fifth (21%) want all their data deleted immediately following the reason for which it was originally shared.

Many organisations are, quite plainly, not doing any of this, yet the GDPR introduces the concept of a shelf-life for permissions, and much else besides. Meeting these new requirements will require time and investment from insurers.

The process will inevitably change their relationship with their customers – either for the better or worse.

To ensure it’s the former, insurers could view GDPR preparations as not just a cost of compliance but an opportunity to understand their consumers better. If they do, it will not just help ensure compliance but could also support growth and profits in the future.

All change
Notwithstanding this, simply complying with the GDPR is itself a considerable undertaking. The requirements are wide-ranging.

At the outset, many will need to appoint a data protection officer (DPO) with expert knowledge of data protection law and reporting to senior management. A study published by the International Association of Privacy Professionals in April estimated 28,000 DPOs must be recruited across Europe. That includes all life insurers, and is likely to include many other insurers, too, regardless of size. The threshold to be considered engaged in “large-scale” monitoring or processing of sensitive data is, from an insurer’s point of view, relatively low.

Definitions of what constitutes “personal data” and therefore attracts protection are similarly broad; it will, under the new regime, include IP addresses, for example. The obligations, meanwhile, will, unlike at present, extend not just to data controllers (usually the insurer), but also data processors – any third parties instructed to work with the data by the data controller, such as outsourced mailing houses.

The most high profile provisions, however, have concerned the rights customers enjoy once their data is collected: Those include mandatory notification of breaches affecting their personal data; the “right to be forgotten” that allows customers to have their data deleted where it is no longer required for its original purpose; and subject access rights – giving individuals the right to see the personal information the data controller holds on them and who it’s been shared with.

Before this, as noted, there’s the issue of permission: Consent must be freely given, specific, informed and unambiguous, whether for the purposes of underwriting, marketing or anything else. Moreover, consent expires once the data has been used the purpose for which it was given.

The regulation is a “fierce European 'yes' to strong consumer rights and competition in the digital age”, as Jan Philipp Albrecht the MEP who steered the regulation through the European Parliament, put it.

“Citizens will be able to decide for themselves which personal information they want to share.”

The beginning of a beautiful friendship
Compliance is, of course, largely a legal issue, and advice needs to be sought on that basis. A number of points are clear, however.

Most importantly, insurers need to know what data they have – right across the organisation. You can’t manage what you can’t measure, as the adage has it, and this certainly applies to data protection. Without a firm handle on all the information they have on each customer across the organisation ensuring compliance will be impossible.

Tracking permissions; responding to access requests; ensuring expirees and requests for removal are respected; even identifying breaches: none of this will be possible without a coherent picture of the data gathered and held on customers across sales channels, products, and different systems for different functions and business lines. For many systems will need to change. The GDPR does impose costs.

Moreover, the increased control given to customers over their data makes it easier for them to prevent insurers using it for marketing purposes. Even before the GDPR, the rules were already strengthening; witness, for instance, data consumer marketing business Callcredit’s decision earlier this year to suspend use of one of its biggest databases of 46 million consumers following an ICO ruling on consent.

On the other hand, however, the best businesses will see an opportunity: The improved visibility of the data they have on customers and requirement for better quality consents can underpin a better quality dialogue with them. There is the chance to build a much better understanding of customers and their needs.

There is every evidence this will be rewarded. To refer back to the DataIQ survey, while some customers are wary of sharing information at all, many are more willing if it means a better deal (24%) or simply as long as they understand why their data is needed (41%). Of course those who don’t want to hear from you will need to be respected. For those that do, however, the GDPR is not just an obligation but an opportunity to ensure you talk to them in the way and about the issues they want. That’s a discussion that could be significantly more fruitful for everyone.